Configure IPFilter Category
IP filters allow you to create rules to control traffic coming into your network.
To configure IPFilter category:
-
Configure the IPFilter profile.
In this example, the profile name is
ipf_profile
. The rules areipf_rule
,ipf_rule1
andipf_rule2
.set services security-intelligence profile ipf_profile category IPFilter set services security-intelligence profile ipf_profile rule ipf_rule match threat-level [8 9 10] set services security-intelligence profile ipf_profile rule ipf_rule then action block dropset services security-intelligence profile ipf_profile rule ipf_rule then log set services security-intelligence profile ipf_profile rule ipf_rule1 match threat-level 4 set services security-intelligence profile ipf_profile rule ipf_rule1 then action block close http message "SecIntel Redirect Message" set services security-intelligence profile ipf_profile rule ipf_rule1 then logset services security-intelligence profile ipf_profile rule ipf_rule2 match feed-name fd1 set services security-intelligence profile ipf_profile rule ipf_rule2 then action permit set services security-intelligence profile ipf_profile rule ipf_rule then logset services security-intelligence profile ipf_profile rule ipf_rule2 match threat-level 5set services security-intelligence profile ipf_profile rule ipf_rule2 then action block close http file secintel_redirect.txtset services security-intelligence profile ipf_profile rule ipf_rule2 match threat-level 6 set services security-intelligence profile ipf_profile rule ipf_rule2 then action block close http redirect-url http://www.yahoo.com/redirect.html set services security-intelligence profile ipf_profile rule ipf_rule2 then logset services security-intelligence profile ipf_profile default-rule then action recommendedset services security-intelligence profile ipf_profile default-rule then log
-
Use the
show services security-intelligence
CLI command to verify your profile. Your output should look similar to the following:show services security-intelligence ... } profile ipf_profile { category IPFilter; rule ipf_rule { match { feed-name fd1; threat-level [ 8 9 10 ]; } then { action { block { drop; } } log; } } rule ipf_rule2 { match { feed-name fd1; threat-level [ 5 6 ]; } then { action { block { close { http { redirect-url http://www.yahoo.com/redirect.html; } } } } log; } } rule ipf_rule1 { match { threat-level 4; } then { action { block { close { http { message "Secintel Redirect Message"; } } } } log; } } default-rule { then { action { recommended; } log; } } }
-
Configure your IPFilter policy to point to the profile created in Step 1. In this
example, the IPFilter policy name is
ipf_policy
.set services security-intelligence policy ipf_policy IPFilter ipf_profile
-
Use the
show services security-intelligence
CLI command to verify your policy. Your output should look similar to the following:show services security-intelligence policy ipf_policy IPFilter { ipf_profile; }
-
Configure the firewall policy to include the IPFilter policy. This example sets the
trust-to-untrust zone.
set security policies from-zone trust to-zone untrust policy p1 match source-address any destination-address any application any set security policies from-zone trust to-zone untrust policy p1 then permit application-services security-intelligence-policy ipf_policy
-
Use the
show security policies
CLI command to verify your settings. Your output should look similar to the following:show security policies ... } policy p1 { match { source-address any; destination-address any; application any; dynamic-application any; } then { permit { application-services { security-intelligence-policy ipf_policy; } } } } } from-zone untrust to-zone trust { policy p1 { match { source-address [ sda-1 any ]; destination-address any; application any; } then { permit; } } } default-policy { permit-all; }
- Commit your changes.